Merge pull request #1477 from unraid/remove-legacy-certs

remove support for legacy unraid.net certs

emhttp/plugins/dynamix/ManagementAccess.page

@@ -56,7 +56,7 @@ $nginx       = (array)@parse_ini_file('/var/local/emhttp/nginx.ini');
 $addr        = _var($nginx,'NGINX_LANIP') ?: _var($nginx,'NGINX_LANIP6');
 $keyfile     = empty(_var($var,'regFILE')) ? false : @file_get_contents(_var($var,'regFILE'));
 $cert2Issuer = '';
-$isLEcert    = false;
+$isWildcardCert = false;
 if ($keyfile !== false) $keyfile = base64_encode($keyfile);
 
 // self-signed or user-provided cert
@@ -82,25 +82,18 @@ if ($cert2Present) {
   $cert2Subject = exec("/usr/bin/openssl x509 -in $cert2File -noout -subject -nameopt multiline 2>/dev/null|sed -n 's/ *commonName *= //p'");
   $cert2Issuer  = exec("/usr/bin/openssl x509 -in $cert2File -noout -text | sed -n -e 's/^.*Issuer: //p'");
   $cert2Expires = exec("/usr/bin/openssl x509 -in $cert2File -noout -text | sed -n -e 's/^.*Not After : //p'");
-  $isLegacyCert = preg_match('/.*\.unraid\.net$/', $cert2Subject);
   $isWildcardCert = preg_match('/.*\.myunraid\.net$/', $cert2Subject);
-  $isLEcert = $isLegacyCert || $isWildcardCert;
   $subject2URL = $cert2Subject;
   if ($isWildcardCert) {
-    if (!$addr)
-      // if eth0 doesn't have an IP address, then show noip.hash.myunraid.net as a placeholder url
-      $subject2URL = str_replace("*", 'noip', $subject2URL);
-    elseif (strpos($addr, ":") === false)
-      $subject2URL = str_replace("*", str_replace(".", "-", $addr), $subject2URL);
-    else
-      $subject2URL = str_replace("*", str_replace(":", "-", $addr), $subject2URL);
-  }
-  if ($isLEcert) {
     exec("openssl x509 -checkend 2592000 -noout -in $cert2File 2>/dev/null", $arrout, $retval_expired);
     if (!$addr) {
+      // if eth0 doesn't have an IP address, then show noip.hash.myunraid.net as a placeholder url
+      $subject2URL = str_replace("*", 'noip', $subject2URL);
       $dnsValid = false;
       $dnsRebindingProtection = false;
     } elseif (strpos($addr, ":") === false) {
+      // eth0 is IPv4
+      $subject2URL = str_replace("*", str_replace(".", "-", $addr), $subject2URL);
       $rebindtest_ip = exec("host -4 -t A rebindtest4.myunraid.net 2>/dev/null|awk '{print \$4}'");
       $dnsRebindingProtection = ($rebindtest_ip != "192.168.42.42");
       if (!$dnsRebindingProtection) {
@@ -108,6 +101,8 @@ if ($cert2Present) {
         $dnsValid = $cert_ip==$addr;
       }
     } else {
+      // eth0 is IPv6
+      $subject2URL = str_replace("*", str_replace(":", "-", $addr), $subject2URL);
       $rebindtest_ip = exec("host -6 -t AAAA rebindtest6.myunraid.net 2>/dev/null|awk '{print \$4}'");
       // more: restore this after TTL expires
       // $dnsRebindingProtection = ($rebindtest_ip != "fd42::42");
@@ -166,14 +161,12 @@ case 'auto': // aka strict
 }
 
 $cert_time_format   = $display['date'].($display['date']!='%c' ? ', '.str_replace(['%M','%R'],['%M:%S','%R:%S'],$display['time']):'');
-$provisionlabel     = $isLEcert ? _('Renew') : _('Provision');
-$disabled_provision = $keyfile===false || ($isLEcert && $retval_expired===0) || !$addr ? 'disabled' : '';
+$provisionlabel     = $isWildcardCert ? _('Renew') : _('Provision');
+$disabled_provision = $keyfile===false || ($isWildcardCert && $retval_expired===0) || !$addr ? 'disabled' : '';
 $disabled_provision_msg = !$addr ? _('Ensure the primary network card eth0 has an IP address.') : '';
-$disabled_upgrade   = !$addr ? 'disabled' : '';
-$disabled_updatedns = $keyfile!==false && $isLEcert ? '' : 'disabled';
+$disabled_updatedns = $keyfile!==false && $isWildcardCert ? '' : 'disabled';
 $disabled_delete    = $cert2Present && $var['USE_SSL']!='auto' ? '' : 'disabled';
-$disabled_auto      = $isLEcert && !$dnsRebindingProtection && $dnsValid ? '' : 'disabled';
-$upgradelabel       = _('Upgrade Cert');
+$disabled_auto      = $isWildcardCert && !$dnsRebindingProtection && $dnsValid ? '' : 'disabled';
 
 // Get ports in use
 $portsInUse = [];
@@ -440,11 +433,6 @@ _(CA-signed certificate file)_:
  
 : <button type="submit" name="changePorts" value="Provision" <?=$disabled_provision?>><?=$provisionlabel?></button><button type="submit" name="changePorts" value="Delete" <?=$disabled_delete?> >_(Delete)_</button><!-- <button type="button" onclick="updateDNS(this)" <?=$disabled_updatedns?>>_(Update DNS)_</button> --><?=$disabled_provision_msg?>
 
-<?if ($cert2Present && $isLegacyCert):?>
-&nbsp;
-: <button type="submit" name="changePorts" value="Upgrade" <?=$disabled_upgrade?>><?=$upgradelabel?></button>
-<?endif;?>
-
 :mgmt_certificate_expiration_help:
 
 </form>

emhttp/plugins/dynamix/include/ProvisionCert.php

@@ -47,9 +47,8 @@ $certPresent = file_exists($certPath);
 if ($certPresent) {
   // renew existing cert
   $certSubject = exec("/usr/bin/openssl x509 -subject -noout -in ".escapeshellarg($certPath));
-  $isLegacyCert = preg_match('/.*\.unraid\.net$/', $certSubject);
   $isWildcardCert = preg_match('/.*\.myunraid\.net$/', $certSubject);
-  if ($isLegacyCert || $isWildcardCert) {    
+  if ($isWildcardCert) {    
     exec("/usr/bin/openssl x509 -checkend 2592000 -noout -in ".escapeshellarg($certPath), $arrout, $retval_expired);
     if ($retval_expired === 0) {
       // not within 30 days of cert expire date
@@ -60,7 +59,6 @@ if ($certPresent) {
     response_complete(406, '{"error":"'._('Cannot renew a custom cert at').' '.$certPath.'"}');
   }
 }
-$endpoint = ($certPresent && $isLegacyCert) ? "provisioncert" : "provisionwildcard";
 
 $keyfile = empty($var['regFILE']) ? false : @file_get_contents($var['regFILE']);
 if ($keyfile === false) {
@@ -68,7 +66,7 @@ if ($keyfile === false) {
 }
 $keyfile = @base64_encode($keyfile);
 
-$ch = curl_init("https://keys.lime-technology.com/account/ssl/$endpoint");
+$ch = curl_init("https://keys.lime-technology.com/account/ssl/provisionwildcard");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 curl_setopt($ch, CURLOPT_POST, 1);
 curl_setopt($ch, CURLOPT_POSTFIELDS, [

etc/rc.d/rc.nginx

@@ -12,9 +12,7 @@
 # LANNAME                     'tower'
 # LANMDNS               'tower.local'
 # LANFQDN  'lan-ip.hash.myunraid.net'  (wildcard cert)
-# LANFQDN           'hash.unraid.net'  (legacy cert)
 # WANFQDN  'wan-ip.hash.myunraid.net'  (wildcard cert)
-# WANFQDN       'www.hash.unraid.net'  (legacy)
 # WG0FQDN  'wg0-ip.hash.myunraid.net'  (wildcard cert)
 
 DAEMON="Nginx server daemon"
@@ -44,6 +42,12 @@ SERVER_NAMES=()
 [[ $PORTSSL != 443 ]] && PORTSSL_URL=":$PORTSSL"
 [[ $PORT != 80 ]] && PORT_URL=":$PORT"
 
+# delete legacy unraid.net certificate
+if [[ -f $CERTPATH ]]; then
+  TMPCERTNAME=$(openssl x509 -noout -subject -nameopt multiline -in $CERTPATH | sed -n 's/ *commonName *= //p')
+  [[ $TMPCERTNAME == *\.unraid\.net ]] && rm $CERTPATH
+fi
+
 # if USE_SSL="auto" and no uploaded cert, treat like USE_SSL="no"
 [[ $USE_SSL == auto && ! -f $CERTPATH ]] && USE_SSL=no
 
@@ -261,7 +265,6 @@ build_servers(){
 	#
 	# Port settings for https using CA-signed cert
 	# ex: https://lan-ip.hash.myunraid.net
-	# ex: https://hash.unraid.net
 	#
 	server {
 	$(listen $PORTSSL ssl)
@@ -501,15 +504,7 @@ build_ssl(){
       WANIP=$(curl https://wanip4.unraid.net/ 2>/dev/null)
       WANIP6=$(curl https://wanip6.unraid.net/ 2>/dev/null)
     fi
-    if [[ $CERTNAME == *\.unraid\.net ]]; then
-      # legacy LE certificate (only supports IPv4)
-      LANFQDN=$CERTNAME
-      SERVER_NAMES+=($LANFQDN)
-      if [[ -n $WANACCESS && -n $WANIP ]]; then
-        WANFQDN="www.$CERTNAME"
-        SERVER_NAMES+=($WANFQDN)
-      fi
-    elif [[ $CERTNAME == *\.myunraid\.net ]]; then
+    if [[ $CERTNAME == *\.myunraid\.net ]]; then
       # wildcard LE certificate
       [[ -n $LANIP ]] && LANFQDN=$(fqdn $LANIP) SERVER_NAMES+=($LANFQDN)
       [[ -n $LANIP6 ]] && LANFQDN6=$(fqdn $LANIP6) SERVER_NAMES+=($LANFQDN6)